[Dshield] Analyzing DShield data for indications of possible problems?

Ed Truitt ed.truitt at etee2k.net
Thu Jun 27 14:14:18 GMT 2002

Hash: SHA1

Yesterday, my team lead (who is also a DShield.org list subscriber)
and I were talking about something I thought I would pass along to
serve as a discussion starter.  We both have read numerous instances
of people asking if they have seen an increase in probing / scanning
activity on this port or that, or from a certain netblock, country,
or region, etc.  

We talked about the similarities between network scanning / probing
and other process controls (like a chemical plant or a refinery). 
Specifically, if we could establish a baseline which represents the
"normal" level of scanning activities, then we could let the
computers analyze data as it was gathered, and look for
"statistically significant" events - those which deviate from the
norm enough that they indicate that something has changed.  After
all, we know that Port 80 scanning activity will drop off around the
20th of the month, them pick back up around the first, as this is the
default behavior for CR/Nimda.  So, a change in activity that matches
that pattern is not something to worry about - unless the level of
change is significantly different.  However, a brief burst of
scanning on a previously quiet port (SNMP, anyone?) might indicate a
recon, prior to unleashing a new worm (I remember seeing this pattern
before SQLsnake showed up.)  Also, a change in the amount of activity
from a specific geographical region/netblock might indicate
preparations for a cyber-attack.  Such information might help ISS
alert sysadmins to batten down the hatches, and might allow us the
time to mitigate, if not eliminate, the damage such an attack could

DShield.org has the data.  Does anyone else see value in approaching
scans/probes/hacktivity from this perspective (process control)?  It
seems to me to be a better approach than people asking "have you

Ed Truitt
PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9

"Note to spammers:  my 'delete' key is connected to YOUR ISP. 
 Also, if you send me UCE, I reserve the right to post your spew 
on my Web site, with the appropriate color commentary, so that 
others may have a good laugh at your expense." 

Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>


More information about the list mailing list